It still uses the ADSP from Quectel, but from my usage (and from other's reports), it is FAR more stable than the stock firmware. It is also immune to this vunerability (I don't even think it has atfwd_daemon).
I think the ARM core on that is pretty weak even compared to the A64 (and certainly compared to the RK3399 of the PPP!). So while possible, I think it is pretty infeasible. That and I think everything is wired to the main CPU anyways.
Aside from clean room reverse engineering, I do not think there is anyway to actually replace that. One can wipe and reformat the ADSP, but to my knowledge, if the source code is out there, it is certainly leaed proprietary source code.
Of course Pine has to treat it as unfixable -- the modem is already an untrusted component out of the box, and the FCC (and peers) would never allow Pine to ship their own modem firmware.
The first thing I do on new Quectel firmware is the check with Ghidra. I don't use the insecure Linux modems, just the baremetal modems. Which are actually 2 CPU's with 2 firmwares. The modem itself is either a Broadcom or Qualcomm RF chip with all those AT commands and its completely insecure AT parsing via internal UART. The main CPU is best used baremetal, which is much more secure and needs much less energy than the Linux variants. I fixed dozens of security issues in their SDK, but still prefer it over STM, Atmel or Raspi.
You could already do that on this particular modem; the author's previous post (linked from the first paragraph here) involves running a lot of arbitrary code on the modem, and there's an entire alternative implementation running around (https://news.ycombinator.com/item?id=30301837 discusses it a bit). This just talks about running arbitrary commands specifically through the AT interface on the stock firmware.
You and everyone else can own your modem. I'd rather someone not be able to install an undetectable rootkit on my phone with nothing more than an AT command...
I'm honestly not sure (I haven't played with modems much), but I do know that doing a clean wipe of the eMMC or an SD card is way easier than a clean wipe of your modem. It's also a fair bit harder to check for anomalous activity, although with easier shell access, maybe that mitigates both problems?
To be clear, I think it's a lose/lose situation, because I want access to the modem in my pinephone, but I'd rather shell access require some kind of physical attestation (serial connection over the pogopins or something), instead of ... this.
...so nothing of substance is hiding there, because AT commands from Bluetooth peripherals have no way to reach the modem (they just happen to speak same-ish language the modem does).
This is certainly interesting from a vulnerability perspective - and hats off for the effort. But there's still `adb shell`, so it feels a bit like picking the lock when the front door is wide open.
This, exactly. I work with similar modems daily. The first thing I do is to run the AT command for enabling adb. From there you can do whatever. The modems are quite beefy, 100s MB of RAM and multiple CPU cores. They even come pre-installed with a http server, ftp client, ALSA and much more.
Also, if you really want to get creative, I think you can just dump the firmware, which is just normal Linux. So just dump it, mount the filesystem and make whatever changes you want then re-flash.
The quality and security of the software in these things is absolutely bottom tier.
The market for cellular modules is very competitive. From a time to market point of view is cheaper and faster to reuse smartphone-grade socs instead of reinventing the wheel.
As far as I know, only u-blox is producing their own SoC (albeit for cat-m/nb-iot only) all the others are using existing solutions from Qualcomm and others.
This is only scratching the surface. I did not talk about certification which is another beast altogether.
oh that's fun, but it's pretty common on even commercial qualcomm phones, especially xiaomi/huawei where you can force the modem/baseband to have a com port/debug port.
https://github.com/Biktorgj/pinephone_modem_sdk/releases
It still uses the ADSP from Quectel, but from my usage (and from other's reports), it is FAR more stable than the stock firmware. It is also immune to this vunerability (I don't even think it has atfwd_daemon).